[people/arne_f/ipfire-3.x.git] / nss_ldap / patches / nss_ldap-265-initgroups-minimum_uid.patch

This builds off of the recursion checking introduced by -depth to avoid
a deadlock if/when we recurse into ourselves while looking up the user's
UID to compare it to the configured value.  Revision for upstream #341.

diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
--- nss_ldap-265/ldap-nss.c	2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/ldap-nss.c	2010-08-19 17:25:09.000000000 -0400
@@ -34,6 +34,7 @@
 #endif
 
 #include <assert.h>
+#include <pwd.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
@@ -4356,20 +4357,55 @@
 int
 _nss_ldap_test_initgroups_ignoreuser (const char *user)
 {
-  char **p;
+  char **p, *buf;
+  size_t buflen;
+  struct passwd pwd, *passwd;
 
-  if (__config == NULL)
-    return 0;
-
-  if (__config->ldc_initgroups_ignoreusers == NULL)
-    return 0;
-
-  for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
+  if (__config != NULL)
     {
-      if (strcmp (*p, user) == 0)
-	return 1;
+      if (__config->ldc_initgroups_ignoreusers != NULL)
+        for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
+          {
+            if (strcmp (*p, user) == 0)
+              return 1;
+          }
+      if (__config->ldc_initgroups_minimum_uid >= 0)
+        {
+          memset (&pwd, 0, sizeof(pwd));
+          buflen = 0x100;
+          buf = malloc(buflen);
+          if (buf != NULL)
+            {
+              passwd = NULL;
+              while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
+                     (passwd != &pwd))
+                {
+                  switch (errno)
+                    {
+                      case ERANGE:
+                        buflen *= 2; 
+                        free(buf);
+                        if (buflen > 0x100000)
+                          buf = NULL;
+                        else
+                          buf = malloc(buflen);
+                        break;
+                      case EINTR:
+                        continue;
+                        break;
+                      default:
+                        free(buf);
+                        buf = NULL;
+                        break;
+                    }
+                  if (buf == NULL)
+                    break;
+                }
+            }
+          if ((passwd == &pwd) && (passwd->pw_uid < 1000))
+            return 1;
+        }
     }
-
   return 0;
 }
 
diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
--- nss_ldap-265/ldap-nss.h	2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/ldap-nss.h	2010-08-19 17:18:47.000000000 -0400
@@ -400,6 +400,7 @@
   time_t ldc_mtime;
 
   char **ldc_initgroups_ignoreusers;
+  int ldc_initgroups_minimum_uid;
 
   /* disable the do-res_init()-on-resolv.conf-changes hack */
   unsigned int ldc_resolv_conf_res_init_hack;
diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
--- nss_ldap-265/ldap-pwd.c	2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/ldap-pwd.c	2010-08-19 16:40:43.000000000 -0400
@@ -49,6 +49,7 @@
 #include "ldap-nss.h"
 #include "ldap-pwd.h"
 #include "util.h"
+#include "depth.h"
 
 #ifdef HAVE_PORT_AFTER_H
 #include <port_after.h>
@@ -242,6 +243,10 @@
 		      struct passwd * result,
 		      char *buffer, size_t buflen, int *errnop)
 {
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+  if (_nss_ldap_get_depth() > 0)
+    return NSS_STATUS_UNAVAIL;
+#endif
   LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
 	       LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
   AND_REQUIRE_MATCH(name, result->pw_name);
@@ -261,6 +266,10 @@
 		      struct passwd *result,
 		      char *buffer, size_t buflen, int *errnop)
 {
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+  if (_nss_ldap_get_depth() > 0)
+    return NSS_STATUS_UNAVAIL;
+#endif
   LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
 		 LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
 }
diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
--- nss_ldap-265/nss_ldap.5	2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/nss_ldap.5	2010-08-19 17:19:23.000000000 -0400
@@ -445,6 +445,14 @@
 to return NSS_STATUS_NOTFOUND if called with a listed users as
 its argument.
 .TP
+.B nss_initgroups_minimum_uid <uid>
+This option directs the
+.B nss_ldap
+implementation of
+.BR initgroups(3)
+to return NSS_STATUS_NOTFOUND if called with a user whose UID is
+below the value given as the argument.
+.TP
 .B nss_getgrent_skipmembers <yes|no>
 Specifies whether or not to populate the members list in
 the group structure for group lookups. If very large groups
diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
--- nss_ldap-265/util.c	2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/util.c	2010-08-19 17:18:33.000000000 -0400
@@ -669,6 +669,7 @@
   result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
   result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
   result->ldc_initgroups_ignoreusers = NULL;
+  result->ldc_initgroups_minimum_uid = -1;
 
   for (i = 0; i <= LM_NONE; i++)
     {
@@ -1180,6 +1181,10 @@
 	      break;
 	    }
 	}
+      else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
+	{
+	  result->ldc_initgroups_minimum_uid = atoi(v);
+	}
       else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
 	{
 	  if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
--- nss_ldap-265/util.h	2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265-2/util.h	2010-08-19 17:19:46.000000000 -0400
@@ -92,6 +92,7 @@
 #define NSS_LDAP_KEY_PAGESIZE		"pagesize"
 #define NSS_LDAP_KEY_INITGROUPS		"nss_initgroups"
 #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS	"nss_initgroups_ignoreusers"
+#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID	"nss_initgroups_minimum_uid"
 #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS	"nss_getgrent_skipmembers"
 
 /* more reconnect policy fine-tuning */
--- nss_ldap-265/ldap.conf	2005-08-17 18:35:13.000000000 -0400
+++ nss_ldap-265/ldap.conf	2006-02-09 14:14:05.000000000 -0500
@@ -177,8 +177,8 @@
 #nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
 #nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
 
-# Just assume that there are no supplemental groups for these named users
-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
+# Just assume that there are no supplemental groups for system users.
+nss_initgroups_minimum_uid 500
 
 # attribute/objectclass mapping
 # Syntax:
Commit	Line	Data
6679571b MT	1	This builds off of the recursion checking introduced by -depth to avoid
	2	a deadlock if/when we recurse into ourselves while looking up the user's
	3	UID to compare it to the configured value. Revision for upstream #341.
	4
	5	diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
	6	--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
	7	+++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
	8	@@ -34,6 +34,7 @@
	9	#endif
	10
	11	#include <assert.h>
	12	+#include <pwd.h>
	13	#include <stdlib.h>
	14	#include <unistd.h>
	15	#include <string.h>
	16	@@ -4356,20 +4357,55 @@
	17	int
	18	_nss_ldap_test_initgroups_ignoreuser (const char *user)
	19	{
	20	- char **p;
	21	+ char *p, buf;
	22	+ size_t buflen;
	23	+ struct passwd pwd, *passwd;
	24
	25	- if (__config == NULL)
	26	- return 0;
	27	-
	28	- if (__config->ldc_initgroups_ignoreusers == NULL)
	29	- return 0;
	30	-
	31	- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
	32	+ if (__config != NULL)
	33	{
	34	- if (strcmp (*p, user) == 0)
	35	- return 1;
	36	+ if (__config->ldc_initgroups_ignoreusers != NULL)
	37	+ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
	38	+ {
	39	+ if (strcmp (*p, user) == 0)
	40	+ return 1;
	41	+ }
	42	+ if (__config->ldc_initgroups_minimum_uid >= 0)
	43	+ {
	44	+ memset (&pwd, 0, sizeof(pwd));
	45	+ buflen = 0x100;
	46	+ buf = malloc(buflen);
	47	+ if (buf != NULL)
	48	+ {
	49	+ passwd = NULL;
	50	+ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
	51	+ (passwd != &pwd))
	52	+ {
	53	+ switch (errno)
	54	+ {
	55	+ case ERANGE:
	56	+ buflen *= 2;
	57	+ free(buf);
	58	+ if (buflen > 0x100000)
	59	+ buf = NULL;
	60	+ else
	61	+ buf = malloc(buflen);
	62	+ break;
	63	+ case EINTR:
	64	+ continue;
65	+ break;
66	+ default:
67	+ free(buf);
68	+ buf = NULL;
69	+ break;
70	+ }
71	+ if (buf == NULL)
72	+ break;
73	+ }
74	+ }
75	+ if ((passwd == &pwd) && (passwd->pw_uid < 1000))
76	+ return 1;
77	+ }
78	}
79	-
80	return 0;
81	}
82
83	diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
84	--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
85	+++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
86	@@ -400,6 +400,7 @@
87	time_t ldc_mtime;
88
89	char **ldc_initgroups_ignoreusers;
90	+ int ldc_initgroups_minimum_uid;
91
92	/* disable the do-res_init()-on-resolv.conf-changes hack */
93	unsigned int ldc_resolv_conf_res_init_hack;
94	diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
95	--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
96	+++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
97	@@ -49,6 +49,7 @@
98	#include "ldap-nss.h"
99	#include "ldap-pwd.h"
100	#include "util.h"
101	+#include "depth.h"
102
103	#ifdef HAVE_PORT_AFTER_H
104	#include <port_after.h>
105	@@ -242,6 +243,10 @@
106	struct passwd * result,
107	char buffer, size_t buflen, int errnop)
108	{
109	+#ifdef HAVE_THREAD_LOCAL_STORAGE
110	+ if (_nss_ldap_get_depth() > 0)
111	+ return NSS_STATUS_UNAVAIL;
112	+#endif
113	LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
114	LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
115	AND_REQUIRE_MATCH(name, result->pw_name);
116	@@ -261,6 +266,10 @@
117	struct passwd *result,
118	char buffer, size_t buflen, int errnop)
119	{
120	+#ifdef HAVE_THREAD_LOCAL_STORAGE
121	+ if (_nss_ldap_get_depth() > 0)
122	+ return NSS_STATUS_UNAVAIL;
123	+#endif
124	LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
125	LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
126	}
127	diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
128	--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
129	+++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
130	@@ -445,6 +445,14 @@
131	to return NSS_STATUS_NOTFOUND if called with a listed users as
132	its argument.
133	.TP
134	+.B nss_initgroups_minimum_uid <uid>
135	+This option directs the
136	+.B nss_ldap
137	+implementation of
138	+.BR initgroups(3)
139	+to return NSS_STATUS_NOTFOUND if called with a user whose UID is
140	+below the value given as the argument.
141	+.TP
142	.B nss_getgrent_skipmembers <yes\|no>
143	Specifies whether or not to populate the members list in
144	the group structure for group lookups. If very large groups
145	diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
146	--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
147	+++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
148	@@ -669,6 +669,7 @@
149	result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
150	result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
151	result->ldc_initgroups_ignoreusers = NULL;
152	+ result->ldc_initgroups_minimum_uid = -1;
153
154	for (i = 0; i <= LM_NONE; i++)
155	{
156	@@ -1180,6 +1181,10 @@
157	break;
158	}
159	}
160	+ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
161	+ {
162	+ result->ldc_initgroups_minimum_uid = atoi(v);
163	+ }
164	else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
165	{
166	if (!strcasecmp (v, "on") \|\| !strcasecmp (v, "yes")
167	diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
168	--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
169	+++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
170	@@ -92,6 +92,7 @@
171	#define NSS_LDAP_KEY_PAGESIZE "pagesize"
172	#define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
173	#define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
174	+#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
175	#define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
176
177	/* more reconnect policy fine-tuning */
178	--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
179	+++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
180	@@ -177,8 +177,8 @@
181	#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
182	#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
183
184	-# Just assume that there are no supplemental groups for these named users
185	-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
186	+# Just assume that there are no supplemental groups for system users.
187	+nss_initgroups_minimum_uid 500
188
189	# attribute/objectclass mapping
190	# Syntax: